For the purpose of carrying out its business operations as a medical facility and a trading company, Blocks Hospice EOOD processes personal data of individuals (“data subjects”) in strict compliance with Regulation (EC) 2016/679 (General Data Protection Regulation – GDPR), the Personal Data Protection Act, the healthcare regulatory framework, and the Company’s Privacy Policy.
According to the General Regulation, ‘personal data’ means any information relating to a natural person through which that natural person can be directly or indirectly identified.
‘Data concerning health’ means personal data related to the physical or mental health of a natural person. These data are subject to special protection, considering their sensitive nature, and are to be processed by medical professionals bound by the obligation of professional secrecy.
Personal data processing means any operation or set of operations which is performed on personal data by automated or other means.
This policy provides information on:
Who is data controller?
Who are the natural persons whose personal data are processed by the Company?
For what purposes and on what basis is personal data being processed?
To whom are personal data transmitted or disclosed
Personal data storing periods;
Data security measures;
Rights of individuals and methods by which they can be exercised.
Data Controller
The Data Controller is Blocks Hospice EOOD, address: Sofia, Dragalevtsi, Konstantin Pomyanov St., 1
The Company has specially appointed a Data Protection Officer who can be contacted by e-mail: gdpr@blocks.care and phone: +359 89 750 2898
Natural persons whose personal data are processed by the Company
Blocks Hospice processes personal data of the following natural persons:
(a) Patients and, where appropriate, their relatives;
(b) Staff – current and former employees of the Company, job applicants and trainees;
(c) Visitors to the medical facility;
(d) Contractors or potential contractors of the Company and their employees.
Purpose of processing
The Company processes personal data for the following purposes:
(a) Provision of health services – medical diagnostics, palliative care, etc.;
(b) Implementation of the Company’s legal obligations, in particular under the Health Act, the Medical Facilities Act, the secondary legislation on their application;
(c) Compliance with the staff-related requirements of the labour and social security legislation;
(d) Ensuring the security of patients, employees and property through video surveillance, registration, physical security and access control;
(e) Other legitimate purposes such as accounting services, maintenance and security of the Company’s website and IT systems, protection of the Company’s legitimate interests, including by court, etc.
Legal grounds for processing
Blocoks Hospice processes special categories of personal data such as health data, genetic data, or sexual life or sexual orientation data, only if any of the conditions of the General Regulation exists, and in particular:
(a) For the purposes of, medical diagnostics, provision of health or social care or treatment;
(b) To protect the vital interests of the data subject or of another natural person when the data subject is physically or legally incapable of giving his/her consent;
(c) To protect the public interest in public health, such as ensuring high standards of quality and safety of healthcare and medicinal products or medical devices;
(d) Subject to the explicit consent of the data subject for processing data for one or more specific purposes, unless the legislation does not allow for such consent.
The Company also processes other personal data in the presence of any of the alternative legal grounds under the General Regulation, in particular:
(a) Statutory obligations of the Company;
(b) Implementation of a contract, including the pre-contractual relations prior to its execution;
(c) The Company’s legitimate interests, in so far as they prevail the interests or the fundamental rights and freedoms of the data subjects;
(d) Freely expressed specific informed and unambiguous consent of the data subject. The consent already granted may be withdrawn by the data subject at any time in the same manner as it was granted.
To whom are personal data transmitted or disclosed
Blocks Hospice EOOD provides personal data to:
(a) Competent public authorities pursuant to statutory provisions, including to the National Health Insurance Fund, the Ministry of Health, NRA, NSSI, etc.;
(b) Other companies of Blocks Hospice EOOD Group, external laboratories or other medical facilities;
(c) Businesses providing services to the Company, including information maintenance and security of IT systems.
In all these cases, Blocks Hospice EOOD takes the necessary measures to protect the rights and interests of data subjects, such as requiring that data processors undertake explicit contractual obligations to ensure data security and confidentiality protection.
Personal data storing periods
The personal data of the patients is kept in compliance with the statutory periods set out for the relevant medical records.
The personal data of job applicants not approved for recruitment in the Company are kept for the period defined by the current data protection legislation following the end of the procedure and then returned to the data subjects or destroyed. The personal data may be stored for a longer period in order to make job offers only upon the written consent of the concerned applicant.
Video surveillance records and visitors’ registers are stored for 60 (sixty) days under the Private Security Act.
The personal data contained in accounting documents should be kept for the periods under Article 12 of the Accountancy Act.
Personal data security
Blocks Hospice EOOD applies all appropriate technical and organizational measures to ensure the security of personal data, including the express commitment of the employees to professional secrecy and confidentiality.
Rights of data subjects
Any natural person whose data is processed by Blocks Hospice EOOD has the following rights:
– The right of access to their personal data, including to receive a copy thereof;
– The right to correct or supplement any inaccurate or incomplete personal data;
– The right to delete any personal data illegally processed;
– The right to restrict the processing – in case of a legal dispute between the Company and the data subject – until the dispute is resolved or the legal claims are settled, exercised or protected;
– The right to the portability of the personal data concerning the data subject and which the latter has provided to the Company in a structured, commonly used and machine-readable format.
– The right to object – at any time and on grounds relating to his or her particular situation, unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the implementation of court procedures.
The right of access to health information can be exercised as laid down in Article 27 of the Health Act. Health information may be provided to third parties when:
– The treatment of the data subject continues in another medical institution;
– There is a threat to the health or life of others;
– It is necessary to identify a human body or to establish the causes of death;
– It is necessary for the needs of the state health control to prevent epidemics and spread of infectious diseases;
– It is necessary for the needs of medical expertise and social security;
– It is necessary for the needs of medical statistics or for medical research, once data identifying the patient has been deleted;
– It is necessary for the needs of the Ministry of Health, the National Center for Health Information, NHIF, regional health inspectorates and the National Statistical Institute.
Pursuant to the Personal Data Protection Act, the above rights may be exercised by submitting a written application to: office 15, fl. 5, 85 Aleksandar Malinov blvd, Mladost region, 1715, Sofia. The application should be made personally by the data subject or by a person explicitly authorized by him/her with a power of attorney certified by a notary and a copy thereof should be submitted with the application.
The response to the request for exercised right should be prepared on paper and received by the applicant at the address of the Company. The employees of the Company should verify the identity of the applicant by reference to the identity document submitted by the applicant and provide the reply in two copies, one for each party, signed by the applicant.
Protection of the rights of data subjects
Pursuant to the Personal Data Protection Act and the General Data Protection Regulation, any natural person who considers that his/her right to the protection of his or her personal data is violated may file a complaint with the Personal Data Protection Commission at: 2, Prof. Tsvetan Lazarov Blvd., 1592 Sofia, website: www.cpdp.bg.